IIS MODULES UNDER ATTACK: LARVA-25003 CAMPAIGN ANALYSIS

By /

Listen to this Post

Featured Image
AhnLab recently exposed the Larva-25003 campaign, where attackers exploit malicious IIS native modules to intercept and manipulate HTTP traffic on compromised servers. This attack demonstrates stealth, persistence, and monetization through advanced techniques.

🔗 Read the full report: AhnLab Blog
🔗 Splunk Threat Research Team (STRT) analysis: Fantastic IIS Modules and How to Find Them

Attack Breakdown

1. Initial Exploitation

  • Attackers target vulnerable IIS web servers.
  • Deploy a .NET loader web shell for fileless persistence.

2. Malicious IIS Module Deployment

  • Use `appcmd.exe` to install a malicious module.
  • Intercept HTTP traffic via w3wp.exe, modifying responses dynamically.

3. IIS Pipeline Hooking

  • Attackers hook into critical IIS events:
    – `OnGlobalPreBeginRequest`
    – `OnBeginRequest`
    – `OnSendResponse`

4. Additional Malware & Evasion

  • GUI rootkit (HijackDriverManager) hides files & registry keys.
  • Gh0st RAT provides remote control.
  • Base64 + AES ensures stealthy in-memory execution.

You Should Know: Detection & Mitigation

1. Logging & Monitoring

✅ Enable Microsoft-IIS-Configuration/Operational logs:

wevtutil sl Microsoft-IIS-Configuration/Operational /e:true

✅ Monitor `w3wp.exe` DLL loads via Sysmon (Event ID 7): 

<Sysmon>
<EventFiltering>
<RuleGroup name="IIS Module Tampering">
<ProcessLoad onmatch="include">
<Image condition="contains">w3wp.exe</Image>
</ProcessLoad>
</RuleGroup>
</EventFiltering>
</Sysmon>

✅ Track loaded modules with PowerShell:

Get-WebGlobalModule | Select-Object Name, Image | Export-Csv -Path "iis_modules.csv"

2. Atomic Red Team Simulation

Test IIS module abuse scenarios:

 Simulate malicious module install via appcmd.exe
appcmd.exe install module /name:EvilModule /image:"C:\temp\malicious.dll"

 PowerShell-based module addition
New-WebGlobalModule -Name "BadModule" -Image "C:\inetpub\malware.dll"

3. Detection Rules

🔍 Splunk detections for IIS abuse:

  • New module installs (EventCode 29)
  • Failed module loads (EventCode 2282)
  • Suspicious DLL paths (inetpub, caches.dll)
  • PowerShell misuse (New-WebGlobalModule)

📥 Download all detections: Splunk Detections

What Undercode Say

The Larva-25003 campaign proves that IIS modules remain a prime target for attackers seeking long-term persistence. Defenders must:
– Enable deep IIS logging
– Monitor `w3wp.exe` activity
– Block unauthorized module installs

Key Linux & Windows Commands for Defense

✅ Check running IIS modules (Windows):

Get-Process w3wp | Select-Object -ExpandProperty Modules

✅ Find suspicious DLLs (Linux alternative for Apache/Nginx):

lsof -p $(pgrep nginx) | grep '.so'

✅ Detect hidden rootkits (Windows):

driverquery /v | findstr /i "hijack"

✅ Analyze HTTP traffic (Linux):

tcpdump -i eth0 port 80 -w http_traffic.pcap

🚀 Expected Output: A hardened IIS server with real-time monitoring, blocked malicious modules, and detection of Gh0st RAT & rootkits. Stay vigilant!

References:

Reported By: Michaelahaag Iis – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: